Posts

  • T-Mobile’s most recent 2021 data breach impacts 50+ million people. The exposed information includes Social Security numbers (SSNs), driver’s licenses, phone numbers, and International Mobile Equipment Identities (IMEIs) and International Mobile Subscriber Identities (IMSIs).
  • According to Threatpost, Microsoft’s Power Apps management portal exposed the data of 47 businesses for months, including 38 million people’s personal records. The information exposed varies by company. However, it ranges from names, COVID-19 vaccination status, email addresses, and phone numbers to SSNs and job titles.
  • Approximately 1.4 million people were impacted by a ransomware attack on St. Joseph’s/Candler Health System in Georgia that shut down the healthcare provider’s systems. Information compromised includes health insurance information, financial information and medical records information.
  • Anyone impacted by a data breach should follow the advice in the notification letter, change their password to a long and unique passphrase and keep an eye out for phishing attempts that claim to be from the breached organization.
  • For more information about August 2021 data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable August Data Breaches

Of the nearly 160 data events the Identity Theft Resource Center (ITRC) tracked in August, three stand out: T-Mobile, Microsoft and Georgia’s St. Joseph’s/Candler Health System (SJ/C). T-Mobile’s latest 2021 data breach highlights the jump in mobile breaches. The Microsoft data event is significant because it’s due to a flaw in a platform’s security. Finally, SJ/C exposed 1.4 million people’s personal information after a ransomware attack on the healthcare system.

T-Mobile

According to T-Mobile, identity criminals compromised T-Mobile’s systems. The company says hackers gained access to their testing environments and then used brute force attacks and other methods to make their way into other IT servers. T-Mobile located and closed the access point they believe was used to gain entry to their servers.

On August 17, T-Mobile confirmed that approximately 47 million people were impacted by their latest data breach in 2021. T-Mobile also said the data stolen from their systems includes personal information like customers’ names, dates of birth, Social Security numbers (SSNs), and driver’s license/identity information for current, past, and prospective customers.

However, in an update on August 20, T-Mobile said they discovered that phone numbers, as well as the typical numbers that allow a mobile phone to be identified and join a network (the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI)), were also compromised in the third T-Mobile data breach since December 2020. T-Mobile identified another 5.3 million current customer accounts with one or more associated names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs illegally accessed. For more information on the T-Mobile data breach and steps to take, click here.

Microsoft

According to Threatpost, research from UpGuard revealed Microsoft’s Power Apps management portal accidentally exposed the data of 47 businesses for months, including 38 million people’s personal records. UpGuard reports that Microsoft’s Power Apps platform was flawed in the way it forced customers to configure their data as private or public. The article says that Microsoft does not consider the data issue a vulnerability, rather a configuration issue that can be improved.

Information exposed varies per business. However, the personal information ranges from names, COVID-19 vaccination status, email addresses and phone numbers to SSNs and job titles. Some of the notable businesses impacted are American Airlines, Ford, the Maryland Department of Health and the New York City schools. 

UpGuard says since disclosure of the issue, Microsoft released a tool for checking Power Apps portals for leaky data. Microsoft also plans to change the product so that permissions will be enforced by default. Microsoft’s data event is one of the first data breaches in 2021 the ITRC has seen due to a flaw in platform security. It is considered one of the rarest forms of data compromise.

St. Joseph’s/Candler Health System

On August 10, SJ/C, a healthcare system in Savannah, Georgia, released information on a ransomware attack on their systems. According to the news release, SJ/C found suspicious activity in its IT network and launched an investigation. The investigation determined that the incident resulted in an unauthorized party gaining access to its IT networks between December 18, 2020 and June 17, 2021 and launching a ransomware attack, making the systems inaccessible.

Nearly 1.4 million individuals were impacted by the data breach, both patients and employees. At-risk information includes SSNs, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member I.D. numbers, medical record numbers, medical and clinical treatment information and much more.

SJ/C says, following the incident, they have implemented and will continue to adopt additional safeguard and technical security measures to further protect and monitor its systems. The ITRC has seen similar incidents happen across the U.S., including at Scripps Health in San Diego, California.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/Text) and to keep an eye out for phishing attempts that claim to be from the breached organization.   

T-Mobile recommends all eligible customers sign up for scam blocking protection through the company’s Scam Shield as protection from the latest data breach in 2021. They are also directing people to a customer support webpage with breach information and access to tools.

SJ/C has a toll-free incident response line to answer people’s questions about the latest data breach in 2021. Anyone can call 855.623.1933 Monday through Friday between 8 a.m. and 5:30 p.m. EST. Additional information is available at www.sjchs.org.

notified 

For more information about August data breaches in 2021, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.      

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.   

  • data breach of telecommunications company Mint Mobile occurred after some phone numbers were ported and data was accessed. The Mint Mobile data breach is one of the latest data events to affect a telecommunications company, highlighting the risk of mobile breaches. 
  • Insurance company BackNine suffered a data compromise due to a misconfigured database, impacting 711,000 files with information including Social Security numbers (SSNs) and medical diagnoses. The data event stresses the importance of being careful when using cloud databases. 
  • CNA Financial Corporation fell victim to a ransomware attack, leading to a data breach that impacted 75,349 people. Attacks like this, which involved SSNs, on businesses continue to rise. 
  • For more information about July data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.    
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.   

Notable July Data Breaches 

Of the 163 data events the Identity Theft Resource Center (ITRC) tracked in July, three stand out: Mint Mobile, BackNine and CNA Financial Corporation. All three data events are notable for unique reasons. One highlights the risk of mobile breaches. Another is an example of the need to be careful with cloud databases. The third is a ransomware attack that involves Social Security numbers (SSNs).  

Try our Latest Breaches feature at notified.idtheftcenter.org

Mint Mobile 

A Mint Mobile data breach occurred after phone numbers were ported by cybercriminals and data was accessed. Sometime between June 8-10, a threat actor ported the phone numbers for a handful of Mint Mobile subscribers to another carrier without authorization. According to Bleeping Computer, Mint Mobile disclosed that an unauthorized person also potentially accessed subscribers’ personal information, including call histories, names, addresses, emails and passwords.  

Try our Custom Breach Search feature at notified.idtheftcenter.org

Bleeping Computer reports that Mint Mobile has not said how the threat actor gained access to subscribers’ information. However, based on the accessed data, hackers likely hacked user accounts or compromised a Mint Mobile application used to manage customers.  

The Mint Mobile data breach is the latest to shine a light on the risk of mobile data breaches and the need for better security for customer-facing support systems. In January, the ITRC highlighted a similar breach of U.S. Cellular where hackers gained access to protected systems by installing malware on a computer at a U.S. Cellular retail store.  

BackNine 

A data breach of BackNine, an insurance technology startup, led to 711,000 files being impacted. According to TechCrunch, a security lapse exposed insurance applications at BackNine after one of its cloud servers was left unprotected on the internet. The storage server was misconfigured, and anyone with internet access could view the files.  

Personal information exposed includes names, addresses, phone numbers, SSNs, medical diagnoses, medications taken and detailed completed questionnaires about an applicant’s health, past and present. Other files included lab and test results, such as bloodwork and electrocardiograms. Some files also contained driver’s license numbers. The exposed documents date as far back as 2015 to as recent as July 2021.  

The BackNine data event is a prime example of why companies need to be careful when using cloud databases. If a cloud database is not configured correctly, anyone can access it and may commit an array of identity crimes. It is also important organizations do what they can to protect sensitive data to maintain people’s trust.  

CNA Financial Corporation 

Insurance company CNA Financial Corporation suffered a data breach linked to a ransomware attack. According to CNA’s breach notice, an investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021, to March 21, 2021, and copied a limited amount of information before deploying the ransomware.  

The breach notice states that the data event impacted 75,349 people, and information in the stolen files includes names, SSNs and, in some instances, information related to health benefits for certain people. CNA says, right now, there is no reason to believe the data was stolen or misused. However, they are offering free credit monitoring and fraud protection services through Experian. CNA is just one of many ransomware attacks on businesses being seen by the ITRC. 

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager and to keep an eye out for phishing attempts that claim to be from the breached organization.   

Mint Mobile warns users affected by the Mint Mobile data breach to protect other accounts that use their phone numbers for validation purposes and reset account passwords since threat actors could have used the ported numbers for additional attacks. 

CNA Financial Corporation asks impacted individuals to review their “Information About Identity Theft Protection” document, which includes information on placing a fraud alert or credit freeze on a credit file.  

notified 

For more information about July data breaches, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.      

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.   

  • According to a new report from NTT Application Security, the percent of application software being patched has dropped below 50 percent. It is partly because more applications are being tested in the wake of recent high-profile cyberattacks. 
  • The average time to fix the most severe software vulnerabilities in a large enterprise is 203 days. That number is more than twice that figure in some industries. 
  • The report also reveals that most applications in 10 of the 11 leading industries tracked by NTT Application Security have at least one software flaw open to attack every day of the year. 
  • Cybersecurity teams are failing to fix software vulnerabilities on a timely basis, which is one reason why cybercriminals have success attacking businesses
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

A King of Shreds & Patches 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 30, 2021Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week, we discuss one of the primary causes of cyberattacks that leads to data compromises – known but unpatched software vulnerabilities and flaws.  

In Shakespeare’s Hamlet, the troubled prince refers to his uncle, a usurper of the Danish throne, as a rag-tag monarch: “A king of shreds & patches.” That description also applies to how much modern software is riddled with known flaws that give cybercriminals an easy path into organizations. There’s a report out this week that gives us a clue into just how difficult it is to patch software, even when the bugs are well known. 

Cybersecurity Teams Struggle to Quickly Fix Software Vulnerabilities 

Global cybersecurity provider NTT Application Security claims that cybersecurity teams are struggling to fix issues quickly. So far this year, the percent of application software being patched has dropped below 50 percent, partly because more applications are being tested in the wake of recent high-profile cyberattacks. 

Still, the time to patch has not improved over time. The average time to fix the most severe software vulnerabilities and flaws in a large enterprise is 203 days. In some industries, the number is more than twice that figure. The time needed to fix software used in the agriculture and forestry sector is the highest at 513 days, on average. The education sector, a common target for ransomware attacks, is the second slowest industry and requires an average of 478 days to fix a known flaw. 

How long does it take for a cybercriminal to exploit software vulnerabilities? A 2020 report puts the time to breach a system at as few as two hours once a flaw is publicly announced, usually at the same time a fix is issued. 

The Consequences of Slow Response Times to Patch Flaws 

The universally slow patch cycle where companies prioritize which software vulnerabilities they fix in what order has an unintended consequence, too. The lower the risk, the longer the time to patch. That allows cybercriminals to develop new attacks that link several lower-risk flaws into a single attack that is hard to detect and defend.  

NTT Application Security’s research shows that the same kind of software vulnerabilities continue to appear in new and updated applications. Most of the flaws identified in the first six months of 2021 fall into the same five categories month after month. 

What does that tell us? According to the report’s authors, it means that the people who are developing software and the teams that are protecting systems are not talking to one another, at least not enough to learn what bugs are common and how to fix them. 

Most Applications Have At least One Software Flaw Open to Attack 

There’s one last statistic from the NTT Application Security report that should be discussed. A majority of applications in 10 of the 11 leading industries tracked by NTT have at least one software flaw open to attack every day of the year. That explains why cybercriminals are successful at attacking businesses

Next week, we’ll take a look at the ever-growing costs to businesses that suffer a data compromise as calculated in a new report from IBM

Contact the ITRC 

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST). 

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown


  • According to the Identity Theft Resource Center’s (ITRC) First Half 2021 Data Breach Analysis, data compromises are up 38 percent over the first quarter of 2021. If this trend from the data breach statistics continues, 2021 will set an all-time high for data compromises.
  • While data compromises are up, the number of individuals impacted is down 20 percent quarter-over-quarter. If the current trajectory holds, 2021 will see the fewest number of impacted individuals since 2016.
  • Phishing and Ransomware remain the top two root causes of data compromises for the second quarter and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity.
  • To learn about recent data breaches, or to see the ITRC’s data breach statistics in our latest report, consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

First Half 2021

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 9, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the ITRC’s data breach statistics and trends for the second quarter of this year and what they tell us about how we may end 2021.

How the ITRC Reports Data

First, here’s a brief reminder of how the ITRC reports data. We only include information from U.S. data events that are publicly-reported. We report 1) data compromises, which includes data breaches, data exposures (think cloud databases with no security), and 2) data leaks, generally public information that is aggregated and used for a purpose other than that for which it was intended (think scraping information from social media sites that are sold for marketing lists or used for phishing attacks).

Key Takeaways from the ITRC’s First Half 2021 Data Breach Analysis

Now, let’s look at the key takeaways from this week’s ITRC First Half 2021 Data Breach Analysis:

  • According to the ITRC’s data breach statistics, data compromises are up 38 percent over the first quarter of 2021, putting us on a trajectory to end 2021 with a record level of compromises. Every month this year (except May) has seen data compromises higher than the month before. If this trend continues, we will exceed the all-time high number of compromises set in 2017 of 1,632 publicly-reported data events.
  • However, the number of people impacted by data compromises is down 20 percent quarter-over-quarter. That means we could end 2021 with fewer than 250 million victims of identity compromises, which continues a trend away from the mass collection of individual information that started in 2018.
  • The data breach statistics show we are on pace to have the highest number of data compromises ever in the same year that we could see the fewest number of people impacted since the all-time high was set in 2016.
  • Data compromises are rising or flat pretty much across the board, with half of the sectors tracked by the ITRC showing increases.
  • Manufacturing & Utilities and Professional Services are seeing significant increases while Healthcare and Retail are seeing data compromises drop. This shift reflects the broader trend of cybercriminals focusing their attention on critical infrastructure entities, so important they cannot be allowed to remain offline, and targets considered to be not as well defended. It is all in hopes of securing larger ransomware payments.
  • Phishing and Ransomware remain the #1 and #2 root causes of data compromises for the second quarter (Q2) and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity. Attacks against vendors that give criminals access to many companies through a single data or security breach increased 19 percent in Q2. The 58 supply chain attacks through June 30, 2021 compares to the 70 malware-related compromises for the year so far. These data breach statistics indicate that third-party risks are poised to surpass malware as the third most common root cause of data events by the end of this year.
  • Just two days after the end of the second quarter, a major supply chain attack was launched against the cybersecurity provider Kaseya. Cybercriminals demanded a record $70 million in ransom to restore the operations of more than 1,500 companies impacted by the attack. It’s not known if any personal information has been compromised. However, we know this early third quarter (Q3) attack is an indication that cybercriminals are launching ever more sophisticated attacks that command larger and larger ransom payments.

Contact the ITRC

If you have questions about how to keep your personal information private or secure, visit www.idtheftcenter.org, where you will find helpful tips, and where you can download our First Half 2021 Data Breach Analysis to see our data breach statistics.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m. to 5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • According to a report from Javelin Strategies, traditional identity theft is declining. However, what one might think of as identity theft is being replaced by identity fraud.
  • trend identified by the Identity Theft Resource Center (ITRC) in 2020. Cybercriminals continue to move away from mass data breaches of consumer information to more targeted attacks like phishing, ransomware and supply chain attacks.
  • There is no reason for consumers to panic. One record exposed is one too many, but one can’t determine the risk represented by a data breach based on the size of the breach. Knowing what records are exposed is far more important than how many records are compromised.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Path is Smooth That Leadeth on to Danger

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 2, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about the FBI’s most recent cybercrime report that shows an exponential increase in cybercrime and the losses associate with it. This week we look at how people can assess what that really means for them or their business.

In his poem, Adonis and Venus, Shakespeare wrote, “The path is smooth that leadeth on to danger.” That is the title of this week’s episode, reflecting how our desire for convenience often leads to risky behaviors.

Traditional Identity Theft is on the Decline

Let’s start with a good and bad news trend. A report from Javelin Strategies is the latest to show that “traditional identity theft” is declining. That’s good news. However, here is the “but” people may be expecting: what we think of as identity theft is being replaced by identity fraud.

Identity Fraud Cases Are on the Rise

What does that mean? It’s part of the general trend we’ve discussed where cybercriminals move away from mass data breaches of consumer information to more targeted attacks. Phishing, ransomware and supply chain attacks are good examples of the kinds of exploits that allow criminals to hit a company. The criminals reap hundreds of thousands of dollars from a single organization instead of the old-school way of attacking thousands of consumers.

However, less risk to individuals is not the same as low or no risk. In fact, the whole concept of identity fraud is based on using consumer behaviors to lure people into a scam. Maybe it’s a text that says someone’s Amazon account has been frozen, and the user needs to click on a link to verify their password to unlock it – and they do. They have just given them their login and password, which regulars of the podcast know are 10x more valuable to a data thief than a consumer’s credit card information.

Maybe someone gets an email from Google or Microsoft claiming their payment card is about to expire. All the user needs to click on is a link to log in and update their information. However, the email and login webpage are deep fakes, and the user just shared their login, password and credit card information with criminals.

All of these phishing techniques are predicated on our behaviors as humans, the need to instantly address any issue that appears by text or email in the most convenient way possible.

While different research reports come up with different identity fraud case totals, they all agree it is on the rise, and the dollar value starts with a B, as in billions. Right now, one might be thinking, “Well, that’s just great. Do I panic now or panic later?”

No Reason for Consumers to Panic

First, there is no reason to panic at all. People may have seen a media headline that talked about more records being exposed in data breaches in 2020 than in the past 15 years combined. While that is attention-grabbing, it’s not particularly meaningful.

One record exposed is one too many, but the reality is one can’t determine the risk represented by a data breach based on the size of the breach. Someone’s date of birth and Social Security number are two records. They may have been exposed thousands of times over the past 15 years, but they are still only two data points, and they don’t change.  However, the risk associated with each data point is very different.

Knowing what records are exposed is far more important than how many records are compromised. Knowing how to protect your own information is the most important information, and that’s where the ITRC can help.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.  

In 2020, the number of individuals impacted by a data breach was down 66 percent from 2019; cybercriminals continue to shift away from mass attacks seeking consumer information and towards attacks aimed at businesses using stolen logins and passwords  

SAN DIEGO, January 28, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its 15th annual Data Breach Report. According to the report, the number of U.S. data breaches tracked in 2020 (1,108) decreased 19 percent from the total number of breaches reported in 2019 (1,473). In 2020, 300,562,519 individuals were impacted by a data breach, a 66 percent decrease from 2019.  

The 2020 Data Breach Report shows the continuation of a trend from 2019: cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. Due to the shift in tactics, ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.  

Ransomware and phishing attacks require less effort, are largely automated, and generate much higher payouts than taking over individuals’ accounts. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per event in Q4 2020. 

Download the ITRC’s 2020 Data Breach Report 

“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them decline, people should understand that this problem is not going away,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors. Although resources continue to decline for victims of identity crimes, the ITRC will continue to help impacted individuals by providing guidance on the best ways to navigate the dangers of all types of identity crimes.” 

One notable case study highlighted in the ITRC’s 2020 Data Breach Report is the ransomware attack on Blackbaud, a technology services company used by non-profit, health and education organizations. A professional ransomware group stole information belonging to more than 475 Blackbaud customers before informing the company the information was being held hostage. The stolen information included personal information relating to more than 11 million people that was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom.  

Another notable finding was that supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the organization is smaller, with fewer security measures than the companies they serve.  

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.  

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

Media Contact 

Identity Theft Resource Center 
Alex Achten 
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

  • According to a survey by Proofpoint, ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers. 
  • Cybersecurity firm Emsisoft found that at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. 
  • The Emsisoft report also reports that more than 1,300 companies lost data, including intellectual property and other sensitive information in 2020. 
  • Ransomware attacks cause significant disruption when ambulances carrying emergency patients are redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 28, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 22, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy.  Human beings tend to end a year by looking forward, but begin the new year by looking back. This week, such is the case when researchers, having just finished publishing their 2021 predictions, turn to sharing their annual trend reports. How many of X and the increase or decrease in Y. 

Here, we are interested in the trends that impact consumers and businesses regarding data privacy and security. The first significant report on those topics concludes that ransomware attacks are now the single biggest cyber threat to companies based on what happened in 2020. If it’s a threat to businesses, it’s a threat to consumers. 

You may not know the name Phil Dusenberry, but you know his work. If you saw a Pepsi commercial during the ’80s, ‘90s and early 2000s, you saw his handy work. If you ever saw the “Morning in America” film for President Reagan or the baseball movie, “The Natural”, those belonged to Phil Dusenberry, too. Now, he has contributed to today’s episode when he said: “Writing advertisements is the second most profitable form of writing. The first, of course, is…” Hold that thought, and we’ll come back to it.  

Ransomware Attacks Considered A Top Cybersecurity Threat 

Cybersecurity firm Proofpoint has found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a recent survey. Even more alarming is research from New Zealand-based cybersecurity firm Emsisoft that concludes at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. The impacted organizations include: 

  • 113 federal, state and municipal governments and agencies 
  • 560 healthcare facilities 
  • 1,681 schools, colleges and universities 

These kinds of attacks cause significant, and sometimes life-threatening, disruption when ambulances carrying emergency patients have to be redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 

The Impact of Ransomware Attacks on Private Businesses 

Ransomware attacks are not limited to the public sector. Private businesses are very much in the crosshairs of the professional cybercriminals who commit these crimes. According to the Emsisoft report, more than 1,300 companies, many based in the U.S., lost data, including intellectual property and other sensitive information in 2020. That’s just the number of companies with data published on websites where thieves post their ransom notes or stolen data for sale. It does not include the unknown number of companies that paid the ransom before anyone noticed.  

Few cyber-criminal groups released the data they stole in 2020. Only two are known to have done so after companies refused to pay a ransom. However, by the end of 2020, more companies were paying ransom figures over $200,000 on average to avoid the release of their compromised information.  

Many times, they paid the demands even if they didn’t have to do so. Emsisoft has documented cases where businesses with the necessary back-ups to restore their information still paid the ransom for fear their data would be released if they didn’t pay. Proving Phil Dusenberry’s theory, the most profitable form of writing…is a ransom note. 

ITRC to Release Annual Data Breach Report 

Next week, the ITRC will publish its annual report on data breaches. The report includes how many breaches occurred, who was impacted, why they occur and much more. There are some very interesting trends that we’ll discuss in our next episode.  

Contact the ITRC 

If you have questions about how to protect your information from data breaches and data exposures, visit idtheftcenter.org, where you will find helpful tips on this and many other topics.  

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours (6 a.m. to 5 p.m. PST). Visit the company website to get started. 

If you want to work ahead and read our 2020 Data Breach Report, our 15th annual edition, it will be posted on our website on Thursday, January 28, as part of Data Privacy Day. Just visit idtheftcenter.org

  • The list for the most common passwords in 2020 is out, released by cybersecurity firm NordPass. The three most common passwords of 2020 are 12345, 123456789 and picture1.  
  • Weak passwords continue to be a security issue. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches
  • To strengthen password security, consumers should change their password to a passphrase, never reuse a password (consider a password manager), use two-factor authentication when possible and never use work passwords at home (and vice versa). 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • For more information on how to upgrade your password, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our  Weekly Breach Breakdown Podcast. This week, we will look at one of the behaviors that are increasingly at the foundation of many, if not most, data compromises in 2020: weak passwords

Why Passwords are Important 

As ITRC Chief Operating Officer James Lee mentions in the podcast, like the Porter outside Macbeth’s castle, passwords are designed to allow entry to our personal and work castles. Passwords protect the devices that are home to the applications and data we use and create.  

Passwords in the 1980s and 1990s 

People have been protecting passwords since the 1980s. The first passwords were simple, and most people only needed one. Maybe the password was assigned to someone at work, so they used the same one at home; that is if there was a computer at home. People were told never to write down their password.  

Then came the internet in the mid-1990s, and suddenly there was a need for more passwords. People needed a password for their AOL or Earthlink account. Eventually, people had to add passwords to the handful of other online accounts they created. However, most people probably just used the same word or set of numbers that was their device login password. 

Passwords Today 

Fast forward to today, according to cybersecurity firm NordPass, the average person now has to manage a staggering 100 passwords, up 25 percent from 2019. The rise is due, in part, to the increase in online transactions during 2020 related to COVID-19.  

Most Common Passwords 

NordPass also publishes an annual list of the most common passwords, which also corresponds with the passwords cracked most often by professional data thieves. Here are the top 10 most common passwords of 2020 and how long it takes a cybercriminal to crack the password: 

  1. 12345 (takes less than one second to break) 
  1. 123456789 (takes less than one second to break) 
  1. picture1 (takes up to three hours to crack) 
  1. password ( takes less than one second to break) 
  1. 12345678 (takes less than one second to break) 
  1. 111111 (takes less than one second to break) 
  1. 123123 (takes less than one second to break) 
  1. 12345 (takes less than one second to break) 
  1. 1234567890 (takes less than a second to break) 
  1. Senha (the Portuguese word for password; takes 10 seconds to break) 

The Dangers of Weak Passwords 

Weak passwords allow cybercriminals to access systems and accounts easily. People use weak passwords because there are so many to remember, which also prompts people to use the same weak passwords on multiple accounts and use them at work and home. 

Here are a few statistics from earlier in 2020: 

What You Can Do to Avoid Weak Passwords 

The good news is that people can do many things to make sure they have strong passwords that will keep their accounts secure. Here are some tips: 

  • Change your password to a passphrase. Use a passphrase like a movie quote, a song lyric, or a favorite book title that is easy to remember and at least 12 characters long. It would take a cybercriminal 300 years to crack a 12-character passphrase with upper and lower case letters. If you add a number, the passphrase will last 2,000 years.  
  • Never reuse your passwords, or passphrases since you just upgraded, right? If you have too many passwords to remember, use a password manager. If you want a free solution, many browsers offer a form of a built-in password manager. Safari and Firefox are two examples. 
  • Use two-factor authentication when it’s available. An authentication app like those offered by Microsoft and Google is best. However, even the two-factor authentication version that sends a code to you by text is better than no multi-factor authentication. 
  • Never use your work password at home, or vice versa. Stolen work credentials are one way cybercriminals use to get the access they need to launch ransomware attacks against companies.  

notifiedTM   

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC  

If you have questions about how to upgrade your password to protect your information from data breaches and exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics. If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

  • Vertafore, a Denver based insurance tech company, discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers.
  • The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.
  • Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings.
  • Consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety. Vertafore is offering one year of free credit monitoring and identity restoration services.
  • For more information on the Texas driver’s records exposed, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website.
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will discuss the Vertafore data compromise that exposed personal information to the risk of being stolen by a cybercriminal by not installing security on a cloud storage service.

What We Know

There is one thing that almost everyone carries in their pocket – their driver’s license. Without a driver’s license, people can’t legally drive or show proof of age or identity. It is one of the most important forms of identification a person needs in the U.S. That is why a recent event that led to Texas driver’s records exposed has millions of people worried about how it could affect them.

Vertafore, a Denver based insurance tech company, discovered that three files containing driver-related information were moved to an unsecured online storage service. In other words, it was moved to a third-party cloud database with no security. The files included data before February 2019 on nearly 28 million Texas drivers. The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.

In a statement announcing that Texas driver’s records were exposed, Vertafore says there is no evidence of information misuse. However, the company acknowledges that there is evidence an unknown and unauthorized party accessed the information. Other Vertafore data – including partner, vendor or additional supplier information – and systems remain unimpacted. No Vertafore systems were found to include known software vulnerabilities, and Vertafore immediately secured the suspect files.

Investigators hired by the company believe the unauthorized access to the data occurred between March 11 and August 1 of 2020. The files supported one of Vertafore’s products that helps insurance companies determine insurance policy costs. The files did not contain Social Security numbers or financial information about consumers. Vertafore is offering one year of free credit monitoring and identity restoration services.

Cloud Databases Continue to be Left Unsecured

Unfortunately, this kind of event is far too common. On last week’s podcast, we highlighted another company that left a cloud database unsecured, leading to nearly ten million people’s travel accounts being available online.

Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings. Most of the time, there is no evidence data thieves removed or copied the data – meaning the risk of misuse is relatively low. However, it is not zero. It is why consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety.

How the Data Ends Up in the Hands of a Private Company

The event that led to Texas driver’s records exposed has prompted consumers to ask questions about how their driver’s license and related data ends up in the hands of a private company. That is not an uncommon question when data breaches, compromises and exposures involve businesses that victims have never heard of – and did not give permission for their data to be shared.

While the answer to the question varies from state to state, the response is almost always some version of “it’s legal.” Also, consumers rarely have the opportunity to “opt-in” or “opt-out” of the sale or sharing of information like driver’s license data by the government.

In response to questions about the Vertafore compromise, the State of Texas issued a statement about the use of driver’s data:

“Texas law permits, and at times requires, the release to authorized parties of driver license and vehicle registration information.”

In the case of Vertafore, the permitted use involves ensuring companies have the data they need to appropriately price insurance premiums for drivers.

Even the nation’s toughest privacy law, the California Consumer Privacy Act (CCPA), allows personal information from government agencies to be sold and shared for certain purposes without the consumers’ consent. Generally, consumers cannot opt-out of these uses if they are designed to prevent fraud or are used to verify someone’s identity.

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, or if you want to learn more about the Vertafore data compromise, contact the ITRC. You can speak with an advisor toll-free over the phone (888.400.5530), live-chat on the web, or email itrc@idtheftcenter.org during business hours. Just visit www.idtheftcenter.org to get started. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.